Operating System:

[LINUX][Debian]

Published:

19 May 2020

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2020.1755.2 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2020.1755.2
                    [DSA 4687-1] exim4 security update
                                19 May 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           exim4
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   Debian GNU/Linux 10
                   Linux variants
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
                   Unauthorised Access      -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-12783  

Original Bulletin: 
   http://www.debian.org/security/2020/dsa-4687
   https://www.debian.org/lts/security/2020/dla-2213
   https://lists.debian.org/debian-lts-announce/2020/05/msg00017.html

Comment: This bulletin contains two (2) Debian security advisories.
         
         This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running exim4 check for an updated version of the software for their
         operating system.

Revision History:  May 19 2020: Vendor released associated DLA notification
                   May 18 2020: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4687-1                   security@debian.org
https://www.debian.org/security/                           Florian Weimer
May 16, 2020                          https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : exim4
CVE ID         : CVE-2020-12783

It was discovered that exim4, a mail transport agent, suffers from a
authentication bypass vulnerability in the spa authentication driver.
The spa authentication driver is not enabled by default.

For the oldstable distribution (stretch), this problem has been fixed
in version 4.89-2+deb9u7.

For the stable distribution (buster), this problem has been fixed in
version 4.92-8+deb10u4.

We recommend that you upgrade your exim4 packages.

For the detailed security status of exim4 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/exim4

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEyNPZz/qecFY/MvpUv3v/BALVJL4FAl6/+lkACgkQv3v/BALV
JL7otgf/dCYVSP74dtG8O2FOuEbd+N2839eJUDvyP4ARrDzXDFOAfnL42D3PGWPB
9l4dVMOkiW3OD5sOQx6AB50Nc3tW1eH3cLxvjFUz0GmSQhyKscJagcI/xXTnyb8n
TKeXGaSrDrlPJ7/tDBo/eh0O9atJUIry1+3lkXXs7m7ie+8CjcqRA6pN1ahfLJE1
ETCBQQknCuimK4piNXgKkWwuxLPJ/9t3goHISHziXbee5gyOEjEJ8MVVugFya968
YklONOy0dk2EOOrWYno8dhNBWhrTfpqAOQ1LCErjOohgAswm66ogBJPlLcRB6oRX
GzevhwyM2O32/tQz0Ei8pKi11ldTLA==
=rzOJ
- -----END PGP SIGNATURE-----

- --------------------------------------------------------------------------------

[DLA 2213-1] exim4 security update

Package        : exim4
Version        : 4.84.2-2+deb8u7
CVE ID         : CVE-2020-12783


It was discovered that exim4, a mail transport agent, suffers from a
authentication bypass vulnerability in the spa authentication driver.
The spa authentication driver is not enabled by default.

For Debian 8 "Jessie", this problem has been fixed in version
4.84.2-2+deb8u7.

We recommend that you upgrade your exim4 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXsMS6uNLKJtyKPYoAQioWA/+PC/aQCuWMp4hsMClOvO+JcgG6pZCaC5d
E0BtCeZJQRtM3L50ZxtmD5d/0RG00cnKZ12Kp4dhRRO7/Su6Lc3hsnyp9NmVFvOz
SH4+PFF7OIkyj/0jTSlBgM489WVMIo13hrJMb4Mn7gSR26raK9oerfE1bqsGTLHq
2Jxhps+cUj6RnAzaZHzBPAep+p0LCzsYbyz71sl/nMNOj84LtoHYnbrPtiNJM0aW
FJOfPQFDbXe1b1epdbUyq052lRX4w75Iv85Q1rKpDvzXtiriR91cwDdFa+anVkBH
3VYiD9CVZjPZ3Lu+kn4Q5THMLZZpmCvbt5PTF79nDE6V6sH7ohD28DLC8aiNpYCm
lJP69wSoEJmQ51EAWnm5A3NJY2ToUFmtnHWYnR/wblZaCo9xOJRkOGwFMn1YhAvv
akP3SVJRTiTajPck77y6LZrct2AaGZwPaFUc0YBmAIAG0gWs/lXH8Qk2G8idTy0d
5U6LsoAv0TvBJ3kChOXzdKqCLe9q+O2QPShWCK2B3/nFv0iPdSeZr44EPhfsN9CN
JPyExuHc5JMJjH4l7OweQKo35P8IDSRZR2aSpTTcBveOHClxe3+hDddBsRCOHvqu
TUjOXMI4A6ksbLYKQ3QKkspb93lYJ2V/Y2ArWzVAnb1tsRCs8r8TjwAkKrOk1yAi
LsZ2N/1VhVM=
=/FPU
-----END PGP SIGNATURE-----